Maxim Healthcare – Data Breach of Medical Information
Consumer Protection Attorneys in California
On November 4, Maxim Healthcare Group, including Maxim Healthcare Services and Maxim Healthcare Staffing (collectively “Maxim Healthcare”) issued a press release about a breach — a press release they describe as issued “out of an abundance of caution.” That sounds like they had an option not to disclose. I would think that they were required to make notification as a matter of law, but their lawyers might disagree with my non-lawyerly opinion.
According to their press release, on or about December 4, 2020, Maxim Healthcare became aware of unusual activity related to several employees’ email accounts. Investigation revealed that unauthorized access to some accounts had occurred between October 1, 2020 and December 4, 2020.
Beyond that determination, however, Maxim was unable to determine which email messages or attachments had been accessed, so the investigators inspected all messages and attachment to determine what could potentially have been accessed.
The types of personal information that may have been accessible to an unauthorized actor include: name, address, date of birth, contact information, medical history, medical condition or treatment information, medical record number, diagnosis code, patient account number, Medicare/Medicaid number, and username/password. For a limited number of individuals, Social Security number may also have been accessible.
As part of their response to this incident, Maxim Healthcare “instituted additional security protocols, including implementation of Multi-Factor Authentication for all email accounts, and transitioned to a new Security Operations Center with advanced detection and response capabilities.”
Had they deployed MFA before this incident, would they have been successfully attacked?
Will HHS accept their timeline as to why, when they first discovered a problem in December 2020, it took until November 2021 to notify patients? Does the “no later than 60 days” really have any meaning or teeth if HHS never enforces it? Why did it take until August 24 to get the review of email contents? Should it be viewed as unacceptable and violative of HIPAA and HITECH to take this long to notify patients?
If these criticisms sound harsh or unfair, well, if your information might be in the hands of criminals and the entity you trusted with your information can’t even determine that, would you be okay not being informed for 11 months?
HHS OCR tends to use a somewhat non-punitive approach to working with entities when HHS investigates breaches. If that hasn’t worked to decrease the number of breaches because entities are still not deploying basic precautions like MFA, maybe it’s past time for HHS to take the velvet gloves off and start imposing some corrective action plans with monetary penalties — even if the penalties are not large.
Updated Nov. 9: The breach was reported to HHS as impacting 65,267 patients.
While identity thieves are becoming more sophisticated at breaking through the data protection of businesses, it is the company’s responsibility to provide the highest level of security for their consumers. This is especially true when medical information is involved. Medical information of the type lost here, is given special protection under California law.
(858) 293-4614 Call now to review your case with our Data Breach intake specialist. During this call, our intake specialist will review your claim regarding the Maxim Healthcare Lawsuit.
*HIPAA and CMIA Violations – You may be entitled to damages or other remedies. If you received notice that your information was stolen due to a data breach incident, contact Potter Handy, LLP to join our class action lawsuit. No out-of-pocket expenses from you.
What Information Was Involved?
The information involved may include:
- Date of birth
- Diagnosis code
- Medical history
- Medical condition
- Contact information
- Treatment information
- Social Security number
- Medical record number
- Patient account number
- Medicare/Medicaid number and username/password
Maxim Healthcare Lawsuit – Contact Our California Data Breach Lawyers
Have you received notice that your information was stolen due to a data breach incident? If so, you may be entitled to damages or other remedies.
Every day, insurance companies and health care providers lose protected medical information through careless acts, such as emailing third parties’ medical information or sending your personal information to third parties without any encryption or protection.
Our attorneys at Potter Handy, LLP have been instrumental in protecting privacy rights.